{{ $trivyServerURL := printf "http://trivy-server.d8-%s:4954" .Chart.Name | quote }}
{{ $dbRepository := printf "%s/security/trivy-db" .Values.global.modulesImages.registry.base | quote }}
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: trivy-operator
  namespace: d8-{{ .Chart.Name }}
  {{- include "helm_lib_module_labels" (list . (dict "app" .Chart.Name)) | nindent 2 }}
data:
  scanJob.podTemplateContainerSecurityContext: '{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true}'
  # disable log compression since it invokes binaries that are not present in a distroless image
  # https://github.com/aquasecurity/trivy-operator/blob/f612674ba0b7c66e3796e60cc29dc0dcd978caa5/pkg/plugins/trivy/plugin.go#L1209
  scanJob.compressLogs: "false"
  vulnerabilityReports.scanner: "Trivy"
  configAuditReports.scanner: "Trivy"
  report.recordFailedChecksOnly: "true"
  node.collector.imageRef: {{ include "helm_lib_module_image" (list . "nodeCollector") }}
  {{- with (include "helm_lib_tolerations" (tuple . "any-node") | fromYaml) }}
  scanJob.tolerations: {{ .tolerations | toJson | quote }}
  {{- end }}
  {{- with (include "helm_lib_node_selector" (tuple . "system") | fromYaml) }}
  scanJob.nodeSelector: {{ .nodeSelector | toJson | quote }}
  {{- end }}
  # Skip upmeter probes in vulnerability scanning
  # https://github.com/deckhouse/deckhouse/blob/v1.49.0/modules/500-upmeter/images/upmeter/pkg/probe/checker/k8s_statefulset.go#L138
  skipResourceByLabels: upmeter-group,upmeter-probe
  trivy.serverURL: {{ $trivyServerURL }}
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: trivy-operator-trivy-config
  namespace: d8-{{ .Chart.Name }}
  {{- include "helm_lib_module_labels" (list . (dict "app" .Chart.Name)) | nindent 2 }}
data:
  # Break down the trivy image string into trivy.repository and trviy.tag parts by ":" delimiter. Internally, these parts are just concatenated back into a single image string
  {{- $image := (include "helm_lib_module_image" (list . "trivy")) | splitn ":" 2 }}
  trivy.repository: {{ $image._0 }}
  trivy.tag: {{ $image._1 }}
  trivy.additionalVulnerabilityReportFields: ""
  {{- if .Values.operatorTrivy.severities }}
  trivy.severity: {{ .Values.operatorTrivy.severities | join "," }}
  {{- else }}
  trivy.severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
  {{- end }}
  trivy.slow: "true"
  trivy.dbRepository: {{ $dbRepository }}
  trivy.command: "image"
  trivy.dbRepositoryInsecure: "false"
  trivy.useBuiltinRegoPolicies: "true"
  trivy.supportedConfigAuditKinds: "Workload,Service,Role,ClusterRole,NetworkPolicy,Ingress,LimitRange,ResourceQuota"
  trivy.timeout: "5m0s"
  trivy.resources.requests.cpu: 100m
  trivy.resources.requests.memory: 100M
  trivy.resources.limits.cpu: 500m
  trivy.resources.limits.memory: 500M
  trivy.serverURL: {{ $trivyServerURL }}
  trivy.mode: "ClientServer"
  TRIVY_LISTEN: "0.0.0.0:4954"
  TRIVY_CACHE_DIR: "/home/scanner/.cache/trivy"
  TRIVY_DEBUG: "false"
  TRIVY_SKIP_DB_UPDATE: "false"
  TRIVY_DB_REPOSITORY: {{ $dbRepository }}
  {{- if $.Values.global.modulesImages.registry.CA }}
  TRIVY_REGISTRY_CA: | {{ $.Values.global.modulesImages.registry.CA | nindent 4 }}
  {{- end }}
